The security of oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks proposed by HMSun et al in IEEE Transactions on Information Forensics and Security, Vol7, No2, April 2012 is analyzed Upon completion of the analysis of the paper, four kinds of attacks SMS service, attacks on oPass communication links, unauthorised intruder access using the master password and Network attacks on untrusted web browser are identified in different scenarios Thus, we proved that oPass proposed by HMSun et al is not suitable for practical application

Cryptanalysis of oPass

Text password is the most popular form of user authentication on websites due to its convenience and simplicity. However, users' passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, she will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware. In this paper, we design a user authentication protocol named oPass which leverages a user's cellphone and short message service to thwart password stealing and password reuse attacks. oPass only requires each participating website possesses a unique phone number, and involves a telecommunication service provider in registration and recovery phases. Through oPass, users only need to remember a long-term password for login on all websites. After evaluating the oPass prototype, we believe oPass is efficient and affordable compared with the conventional web authentication mechanisms.

Cryptanalysis of oPass

References

oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks

Related Papers (5)

Attack and Improvement on the One-Time Password Authentication Protocol Against Theft Attacks

User Authentication Protocol Based on Human Memorable Password and Using RSA

Virtualization based password protection against malware in untrusted operating systems

An intrusion-tolerant password authentication system

Security analysis and improvement of a gateway-oriented password-based authenticated key exchange protocol